Skillset

You don’t necessarily need to be an android to properly secure your Android device. With a few tips and adhering to a regime of think before you click, we can hopefully demystify some of the otherwise inscrutable security features inherent to the Android platform.

As recent reports of rampant malware and Trojans began to surface via media outlets, the average Android user might not know where to turn to address their security concerns. And with market share on the rise, Android is swiftly becoming more attractive to data miners and thieves alike.

Thankfully for us, the Android operating system is open source, which means there are no constraints on security. You can make your device as accessible or as airtight as you see fit.

Here are some tips you can use to exercise your device’s functionality, spread awareness among other users and — most important of all — increase security:

1.) I shouldn’t have to type this out, but you would be surprised how many people forget to enable a lock screen. Let us not forget that there are still people out there willing to adopt an older form of thievery. Should you realize your phone is suddenly in the physical possession of a third party, a lock screen is essential in providing your data with a first line of defense. Simply browse to ‘Settings’ > ‘Location & security’ to enable a PIN or pattern style lock screen.

“Setup a lock screen pattern that’s unique only to you”

While you’re in ‘Settings’, change your ‘Screen Timeout’ under ‘Display’ to ensure that your lock screen comes on after a delay of phone activity.

2.) In the event that your phone is compromised, the last thing you would want to do is hand over your data on a silver platter. Avoid storing a master password to access resources on your phone. Encrypt your passwords, or better yet, do not store them at all. This practice is indispensible for keeping your personal data under your own authority. As you browse the web on your device, be aware that any usernames and passwords entered could be saved locally. Use your browser settings to remove stored passwords and/or disable storing altogether.

“Configure password settings to suit your security needs”

3.) Recall that your device can sync with your Google account so in essence, your email, contacts, calendar, and now your apps will be stored on the cloud for easy retrieval.

Without your device’s sync feature, it becomes very tedious to populate everything manually. For this reason, there are apps that will take steps further protect your data should the lock screen fail to provide adequate protection. One simple way to do this is with App Protector Pro ($1.99 on the Android Market). You can lock down individual applications such as your Gmail, text messages, and more with simple pattern gestures or passwords. There are free alternatives as well but I cannot vouch for the validity of every app on the market…Which brings me to my next point…

4.) Before you go installing any app you run across be sure to read the applications access request for permissions agreement. This often overlooked agreement contains valuable information regarding specific permissions on how the app is to access your device. These permission requests, such as access to GPS, contacts, external storage, etc; are all coded directly into the Android manifest file. Be mindful of what your application purports to do and what it is that it actually does. Chances are a calculator application does not need access to the Internet or your personal information, so read those permission agreements.

“The agreements are there for a reason. Read them.”

5.) Those of us without the greatest carrier coverage sometimes rely on Wi-Fi to do most of our heavy internet browsing. This helps keep data usage down and generally speeds up communications. However, remember that the same rules for standard computers still apply to Android on those free Wi-Fi hotspots. The information your device sends across a Wi-Fi network is not anonymous, so avoid any online banking or financial tracking until you have carrier coverage or access to a more trusted network.

6.) Stay anonymous and, thusly, more secure by turning off your geo-location features. Navigate to ‘Settings’ > ‘Location & security’ to disable the use of GPS satellite location and wireless network location. The wireless network location feature will also make you less traceable to authorities in an emergency situation so choose your battles wisely. Since there is a thin line between security and anonymity, I will not elaborate on the benefits and pitfalls of being anonymous (perhaps in a future article). Although, anyone interested in securing their personal data, whether it be their location on Foursquare or tagged photo on Facebook, every measure counts.

7.) Keep all of your applications and operating system up to date. Your device will periodically remind you of updates ready to be installed from the Android market or OTA via your service carrier. Keeping up to date is crucial for security as there are many exploits and methods for gaining access to restricted data discovered every day. If you find a glitch or unintended use of an application, let the developer know! As a developer myself, feedback is critical – we love getting feedback, both constructive and otherwise. Go back to the Android market to find developer contact information and send them an email. Getting apps patched or updated is vital to the growth and success of Android as a whole.

8.) Take proactive steps to ensure your data is safe in the event of a physical theft of your device. While there is no operating system level security for your SD card built into Android, such as the encryption Blackberry users enjoy – there are still a few ways we can prevent external threats from accessing our data. Where’s my Droid (free and donation version available on the Android market) is a great app I would recommend to everyone. It can help locate your phone in the event of a loss or theft by making it ring or tracking its geo-location on a computer. Where’s my Droid also provides built in protection via a PIN to gain access to the app itself. The ‘attention word,’ specified by the user, activates specified instructions aiding in the recovery of a lost or stolen device.

“Be sure to specify a unique attention phrase.”

Even if recovery is impossible, it is far better to have your identity intact.

9.) Common practices and preemptive safety precautions aside, no method is perfect. This is why it is so very important to backup your data. Take the time to create regular backups of your applications and settings. Syncing your phone with Google is one thing, but backing up your pictures, texts, videos, and other important files is another. I cannot stress enough how important it is to have redundancy in storing data. Try out:

Of course there are hideous amounts of applications out there that will do all of the above and more, though referring again to step No. 4, be sure to know what you are installing onto your phone before giving up access.

10.) Finally, as far as security goes for your Android device, use common sense! Do not install apps hastily without reading the permissions agreement or customer reviews. Use caution when browsing to sites via randomly found QR codes. Do not store your passwords in a file on your device or in an email linked to your device. Try not to reuse your passwords for added security in the event of a data breach. Do not give our or share personal information to those you do not expressly trust.

These are simple precautions that work for more than just Android devices, that should go without saying.

With new ways to access personal information via pioneering technology such as Near Field Communication [NFC] in Google’s Nexus S, one cannot afford to overlook even the most rudimentary security measures.

Whether your Android device is your social media muse or your dependable business buddy, the above steps should prove useful in reducing the risk of accidental data loss.

Matt Mossman is a security researcher for the InfoSec Institute and a co-founder of Killer Android, an organization dedicated to spreading awareness of the Android Open Source Project.

Matt continues to promote the Android platform through social media outlets and scholarly venues. He has developed several Android applications with a few being published on the Android Market. As a University of Michigan graduate, Matt strives to lend his knowledge and experience in parallel with the Android platform ideology.

Though he spends his days as a humble Systems Admin for a renowned communications firm based out of Livonia, MI, Matt spends his nights advocating for Android.

Hi, this is really useful but I do have some questions I was hoping you would be kind enough to answer if you can.
If I put a lock on my screen, will I have to enter the password/ pattern to answer the phone? If so I suspect it will never get answered in time and that’s why people don’t do it.
I can’t find the screen you show in no. 2, I’ve looked through all the ‘settings’ options.
Every app I’ve tried to install so far has wanted all those accesses you show in no. 4 so I haven’t downloaded any yet, am I misunderstanding something? I don’t want anyone to have any info about me.
Finally, I haven’t paid for anything yet (except through my Amazon account) because I’m nervous about putting card numbers on the phone. I’ve only tried to do it at home, on my own broadband, is that safe?

Good article, thank you. I looked at App Protector Pro but there are many adverse reviews especially re circumventing the app locks. So I am concerned about installing it. On the subject of geolocation, of course the issue is security v smart features. So much of the functionality of smart phones relies on knowing your geolocation. Otherwise what’s the point?

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

five − 2 =

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam